@yallet/rwa-sdk 0.2.0

package/README.md

@@ -0,0 +1,365 @@
+# Yallet RWA SDK
+
+SDK for minting encrypted RWA (Real World Assets) as Solana compressed NFTs (cNFTs).
+
+## Features
+
+- 🔐 **End-to-end encryption** using xidentity (X25519) public keys
+- 📦 **Permanent storage** on Arweave via ArDrive Turbo
+- 🌳 **Compressed NFTs** via Metaplex Bubblegum (low cost)
+- 👥 **User registry** for xidentity management
+- 📄 **Multiple asset types**: Invoices, Notes (messages), Files, Photos, Contacts
+- 🔗 **Chrome extension compatible**: Payloads match Yallet extension decrypt format
+- 🧩 **Optional WASM**: Use acegf WASM for encryption (see [wasm/README.md](wasm/README.md))
+
+## Installation
+
+```bash
+npm install @yallet/rwa-sdk
+```
+
+## Quick Start
+
+```typescript
+import { createRWASDK, AssetType } from '@yallet/rwa-sdk';
+
+// 1. Create SDK instance
+const sdk = createRWASDK({
+  rpcEndpoint: 'https://api.mainnet-beta.solana.com',
+  network: 'mainnet',
+  merkleTreeAddress: 'YOUR_MERKLE_TREE_ADDRESS',
+  arweaveApiKey: 'YOUR_ARWEAVE_API_KEY', // Optional for free tier
+});
+
+// 2. Set up signer (for minting transactions)
+import { keypairIdentity } from '@metaplex-foundation/umi';
+sdk.setSigner(yourKeypair);
+
+// 3. Register users with their xidentity
+await sdk.registerUser({
+  solanaAddress: 'CUSTOMER_WALLET_ADDRESS',
+  xidentity: 'BASE64_XIDENTITY_PUBLIC_KEY', // From Yallet wallet
+  name: 'Customer Name',
+  registeredAt: Date.now(),
+});
+
+// 4. Mint encrypted invoice
+const result = await sdk.mintInvoice(
+  {
+    invoiceId: 'INV-2024-001',
+    amount: 1500.00,
+    currency: 'USD',
+    date: new Date().toISOString(),
+    dueDate: new Date(Date.now() + 30 * 24 * 60 * 60 * 1000).toISOString(),
+    items: [
+      { description: 'Consulting Services', quantity: 10, unitPrice: 150, amount: 1500 }
+    ],
+  },
+  'CUSTOMER_WALLET_ADDRESS',
+  { name: 'Invoice #INV-2024-001' }
+);
+
+console.log('Minted:', result.assetId);
+console.log('Signature:', result.signature);
+```
+
+## Architecture
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│                      Your Application                        │
+├─────────────────────────────────────────────────────────────┤
+│                     Yallet RWA SDK                          │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────┐         │
+│  │  Registry   │  │ Encryption  │  │   Minting   │         │
+│  │ (xidentity) │  │   (ECIES)   │  │ (Bubblegum) │         │
+│  └─────────────┘  └─────────────┘  └─────────────┘         │
+│                   ┌─────────────┐                           │
+│                   │   Storage   │                           │
+│                   │  (Arweave)  │                           │
+│                   └─────────────┘                           │
+├─────────────────────────────────────────────────────────────┤
+│  Solana Blockchain        │         Arweave Network         │
+│  (cNFT Ownership)         │      (Encrypted Data Storage)   │
+└─────────────────────────────────────────────────────────────┘
+```
+
+## User Registration Flow
+
+Before minting assets to a user, they must register their xidentity:
+
+```typescript
+// User provides their xidentity (from Yallet wallet)
+// The xidentity is a base64-encoded X25519 public key
+
+await sdk.registerUser({
+  solanaAddress: 'USER_WALLET_ADDRESS',
+  xidentity: 'ZzFXyDpLw7GMu3PiPopkM7hHBRWTupjcP7qxSJO2SHU=',
+  name: 'John Doe',
+  email: 'john@example.com', // Optional
+  registeredAt: Date.now(),
+});
+```
+
+### Getting xidentity from Yallet Wallet
+
+Users can export their xidentity from Yallet wallet:
+1. Open Yallet → Settings → Export xidentity
+2. The xidentity is safe to share (it's a public key)
+3. Only the wallet owner can decrypt assets encrypted with their xidentity
+
+## API Reference
+
+### `createRWASDK(config, options?)`
+
+Create a new SDK instance.
+
+```typescript
+const sdk = createRWASDK({
+  // Required
+  rpcEndpoint: 'https://api.mainnet-beta.solana.com',
+  network: 'mainnet', // or 'devnet'
+
+  // Merkle Tree (required for minting)
+  merkleTreeAddress: 'YOUR_TREE_ADDRESS',
+  merkleTreeAuthority: 'TREE_AUTHORITY', // Optional
+
+  // Arweave (optional)
+  arweaveEndpoint: 'https://turbo.irys.xyz',
+  arweaveApiKey: 'YOUR_API_KEY',
+
+  // Backend API (optional, for tree management)
+  backendApiUrl: 'https://api.yourdomain.com',
+});
+```
+
+### `sdk.registerUser(user)`
+
+Register a user with their xidentity.
+
+```typescript
+await sdk.registerUser({
+  solanaAddress: string,  // User's Solana wallet address
+  xidentity: string,      // Base64-encoded X25519 public key
+  name?: string,          // Display name
+  email?: string,         // Email address
+  metadata?: object,      // Custom metadata
+});
+```
+
+### `sdk.mintInvoice(invoice, recipientAddress, options?)`
+
+Mint an encrypted invoice to a registered user (payload matches Yallet extension decrypt format). Optionally pass `pdfBase64`, `senderProfile`, `recipientProfile` for extension display.
+
+### `sdk.mintFile(file, recipientAddress, options?)`
+
+Mint an encrypted file (FileData: filename, mimeType, content base64, size).
+
+### `sdk.mintMessage(note, recipientAddress, options?)`
+
+Mint an encrypted message/note (NoteData: title, content), with optional `replyTo`. Payload type is always `sent` (institution sends to users).
+
+### `sdk.mintPhoto(photo, recipientAddress, options?)`
+
+Mint an encrypted photo (PhotoData: filename, mimeType, content base64).
+
+### Example: mintInvoice
+
+```typescript
+const result = await sdk.mintInvoice(
+  {
+    invoiceId: 'INV-001',
+    amount: 100.00,
+    currency: 'USD',
+    date: '2024-01-15T00:00:00Z',
+    dueDate: '2024-02-15T00:00:00Z',
+    description: 'Monthly subscription',
+    items: [
+      { description: 'Service', quantity: 1, unitPrice: 100, amount: 100 }
+    ],
+  },
+  'RECIPIENT_ADDRESS',
+  { name: 'Invoice #INV-001', pdfBase64: '...' }  // optional PDF
+);
+```
+
+### `sdk.mint(request)`
+
+Mint any asset type.
+
+```typescript
+const result = await sdk.mint({
+  assetType: AssetType.NOTE,
+  assetData: {
+    title: 'Meeting Notes',
+    content: 'Discussion points...',
+    tags: ['meeting', 'project-x'],
+  },
+  recipientAddress: 'RECIPIENT_ADDRESS',
+  name: 'Meeting Notes - Jan 15',
+});
+```
+
+## Asset Types
+
+| Type | Description | Data Structure |
+|------|-------------|----------------|
+| `INVOICE` | Invoice | `InvoiceData` |
+| `NOTE` | Message / note | `NoteData` |
+| `FILE` | File | `FileData` |
+| `PHOTO` | Photo | `PhotoData` |
+| `CONTACT` | Contact | `ContactData` |
+
+## Payload builders (extension JSON–compatible)
+
+To customize the payload before encryption, use the same builder functions the Yallet extension expects:
+
+```typescript
+import {
+  buildInvoicePayload,
+  buildFilePayload,
+  buildMessagePayload,
+  buildPhotoPayload,
+} from '@yallet/rwa-sdk';
+
+const bundle = buildInvoicePayload(invoice, { pdfBase64, senderProfile, recipientProfile });
+const filePayload = buildFilePayload(fileData);
+const notePayload = buildMessagePayload(noteData, { replyTo: previousNftId });
+const photoPayload = buildPhotoPayload(photoData);
+```
+
+## Custom User Registry
+
+For production, implement a database-backed registry:
+
+```typescript
+import { createRWASDK } from '@yallet/rwa-sdk';
+
+const sdk = createRWASDK(config, {
+  registry: {
+    type: 'http',
+    httpConfig: {
+      baseUrl: 'https://api.yourdomain.com/registry',
+      apiKey: 'YOUR_API_KEY',
+    },
+  },
+});
+```
+
+Or implement the `UserRegistry` interface:
+
+```typescript
+import type { UserRegistry, RegisteredUser } from '@yallet/rwa-sdk';
+
+class MyDatabaseRegistry implements UserRegistry {
+  async getUser(solanaAddress: string): Promise<RegisteredUser | null> {
+    // Query your database
+  }
+  async registerUser(user: RegisteredUser): Promise<void> {
+    // Insert into database
+  }
+  // ... other methods
+}
+
+const sdk = createRWASDK(config, {
+  registry: new MyDatabaseRegistry(),
+});
+```
+
+## Server-side Mint (Yault credential NFT)
+
+For Yault or other apps that prefer **server-side mint** (no registry, no signer):
+
+```typescript
+import { mintCredentialNftViaServer, RWA_UPLOAD_AND_MINT_ENDPOINTS } from '@yallet/rwa-sdk';
+
+const result = await mintCredentialNftViaServer(
+  recipientSolanaAddress,
+  { user_cred, mnemonic, index, label },
+  {
+    xidentity: recipientXidentity,  // from recipient-addresses API
+    dev: true,                      // use built-in dev endpoint
+    uploadAndMintApiUrl: undefined, // override if needed
+    network: 'devnet',
+  }
+);
+```
+
+### Dev mode
+
+When `dev: true` and `uploadAndMintApiUrl` is not set, the SDK uses `RWA_UPLOAD_AND_MINT_ENDPOINTS.dev` (`api.yallet.xyz`). For production, use `dev: false` or pass `uploadAndMintApiUrl` explicitly.
+
+## WASM encryption (Yallet extension–compatible)
+
+For full compatibility with Yallet extension decryption, use acegf WASM encryption:
+
+1. In [acegf-wallet](https://github.com/phaykhe/yallet-chrome), run `wasm-pack build --target web`, then copy the generated `pkg/acegf_bg.wasm` and `pkg/acegf.js` into this SDK's `wasm/` directory (or your deploy path).
+2. In your app, initialize WASM and pass the encrypt function into the SDK:
+
+```typescript
+import init from './wasm/acegf.js';  // or your path
+import { createRWASDK, createWasmEncryptor } from '@yallet/rwa-sdk';
+
+const acegf = await init();  // optional wasm path: init('/path/to/acegf_bg.wasm')
+const sdk = createRWASDK(config, {
+  wasmEncryptFn: createWasmEncryptor(acegf.acegf_encrypt_for_xidentity),
+});
+```
+
+Without `wasmEncryptFn`, the SDK uses built-in pure JS ECIES; production should use WASM. See [wasm/README.md](wasm/README.md).
+
+### Encryption ↔ extension decrypt (inverse)
+
+The built-in ECIES in this SDK is aligned with **dev.yallet.chrome-extension** (acegf WASM) so that:
+
+- **Encrypt (SDK / Yault):** `shared_secret = ECDH(ephemeral, xidentity)` → `dh_key = SHA256(shared_secret)` → `encrypted_aes_key = AES-GCM(dh_key).encrypt(iv, random_aes_key)` → `encrypted_data = AES-GCM(aes_key).encrypt(iv, plaintext)`. Payload on Arweave: `{ encrypted: { ephemeral_pub, encrypted_aes_key, iv, encrypted_data }, metadata }`.
+- **Decrypt (extension):** `dh_key = SHA256(ECDH(ephemeral_pub, recipient_private))` → `aes_key = AES-GCM(dh_key).decrypt(iv, encrypted_aes_key)` → `plaintext = AES-GCM(aes_key).decrypt(iv, encrypted_data)` → decode base64, optional gzip, then `envelope.data` (e.g. note `{ title, content, metadata }`).
+
+Envelope shape: `{ version, type, timestamp, uuid, schema?, previousToken?, data: asset }`. The extension expects `envelope.data` to have e.g. `title` and `content` for notes. Server-side credential mint uses the same envelope and note shape so the extension can decrypt and show the note.
+
+## Merkle Tree Setup
+
+Before minting, you need a Merkle tree. Create one using Metaplex:
+
+```typescript
+import { createTree } from '@metaplex-foundation/mpl-bubblegum';
+
+const { tree } = await createTree(umi, {
+  maxDepth: 14,        // 16,384 NFTs capacity
+  maxBufferSize: 64,
+});
+
+sdk.setTreeConfig({
+  treeAddress: tree.publicKey,
+  treeAuthority: umi.identity.publicKey,
+  maxDepth: 14,
+  capacity: 16384,
+  used: 0,
+  remaining: 16384,
+  usagePercent: 0,
+});
+```
+
+## Error Handling
+
+```typescript
+const result = await sdk.mintInvoice(invoice, recipientAddress);
+
+if (!result.success) {
+  console.error('Minting failed:', result.error);
+  // Handle error
+} else {
+  console.log('Success! Asset ID:', result.assetId);
+}
+```
+
+## License
+
+MIT
+
+## Links
+
+- [Yallet Wallet](https://yallet.app)
+- [Metaplex Bubblegum](https://developers.metaplex.com/bubblegum)
+- [ArDrive Turbo (Arweave)](https://docs.ardrive.io/docs/turbo/turbo-sdk/)
+- [Arweave](https://docs.arweave.org/)

package/dist/credential-nft-server.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Yault credential NFT — server-side mint flow.
+ *
+ * Encrypts credential payload locally with recipient's xidentity, then POSTs
+ * to upload-and-mint API. No registry, signer, or client-side mint needed.
+ */
+/** Payload shape agreed with Yault webapp */
+export interface CredentialNftPayload {
+    user_cred: string;
+    mnemonic?: string | null;
+    index: number;
+    label: string;
+    /** Optional memo (e.g. "letter to future heirs") — encrypted together with credential, delivered when release triggers. */
+    memo?: string | null;
+}
+/** Result shape expected by Yault */
+export interface CredentialMintResult {
+    success: boolean;
+    txId?: string;
+    error?: string;
+}
+/** Options for server-side mint */
+export interface MintCredentialNftViaServerOptions {
+    /** Recipient's xidentity (base64). Required. */
+    xidentity: string;
+    /** Upload-and-mint API URL. If omitted, uses built-in prod/dev endpoint. */
+    uploadAndMintApiUrl?: string;
+    /** When true, uses built-in dev endpoint (if uploadAndMintApiUrl not set). */
+    dev?: boolean;
+    /** Optional: custom headers (e.g. Authorization) for the API request */
+    headers?: Record<string, string>;
+    /** Network for mint (mainnet | devnet). Default: mainnet */
+    network?: 'mainnet' | 'devnet';
+}
+/** Options for preparing payload only (no POST). Same as MintCredentialNftViaServerOptions minus upload/headers. */
+export interface PrepareCredentialNftPayloadOptions {
+    /** Recipient's xidentity (base64). Required. */
+    xidentity: string;
+    /** Network for mint (mainnet | devnet). Default: mainnet */
+    network?: 'mainnet' | 'devnet';
+}
+/** Result of prepareCredentialNftPayload: the exact body to POST to upload-and-mint later. */
+export interface PreparedCredentialNftPayload {
+    /** Request body to POST to upload-and-mint API (data, contentType, tags, leafOwner, name, description, network). */
+    body: Record<string, unknown>;
+    /** Recipient Solana address (leafOwner). */
+    recipientSolanaAddress: string;
+}
+/** Built-in endpoints for upload-and-mint API */
+export declare const RWA_UPLOAD_AND_MINT_ENDPOINTS: {
+    readonly prod: "https://api.yallet.xyz/api/v1/storage/rwa/upload-and-mint";
+    readonly dev: "https://api.yallet.xyz/api/v1/storage/rwa/upload-and-mint";
+};
+/**
+ * Build the same upload-and-mint request body as mintCredentialNftViaServer, without sending.
+ * Used to store the encrypted note server-side (e.g. Oracle binding) and send only after attestation.
+ *
+ * @param recipientSolanaAddress - Recipient's Solana address (leafOwner)
+ * @param payload - { user_cred, mnemonic?, index, label }
+ * @param options - { xidentity, network? }
+ * @returns { body, recipientSolanaAddress } — body is the exact JSON to POST to upload-and-mint later
+ */
+export declare function prepareCredentialNftPayload(recipientSolanaAddress: string, payload: CredentialNftPayload, options: PrepareCredentialNftPayloadOptions): Promise<PreparedCredentialNftPayload>;
+/**
+ * Mint credential payload via server (upload-and-mint API).
+ *
+ * Caller provides xidentity from recipient-addresses. No registry or signer.
+ *
+ * @param recipientSolanaAddress - Recipient's Solana address (leafOwner)
+ * @param payload - { user_cred, mnemonic?, index, label }
+ * @param options - { xidentity, uploadAndMintApiUrl?, dev?, headers?, network? }
+ * @returns { success, txId?, error? }
+ */
+export declare function mintCredentialNftViaServer(recipientSolanaAddress: string, payload: CredentialNftPayload, options: MintCredentialNftViaServerOptions): Promise<CredentialMintResult>;
+//# sourceMappingURL=credential-nft-server.d.ts.map

package/dist/credential-nft-server.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-nft-server.d.ts","sourceRoot":"","sources":["../src/credential-nft-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAMH,6CAA6C;AAC7C,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;IACd,2HAA2H;IAC3H,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACtB;AAED,qCAAqC;AACrC,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,mCAAmC;AACnC,MAAM,WAAW,iCAAiC;IAChD,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,4EAA4E;IAC5E,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B,8EAA8E;IAC9E,GAAG,CAAC,EAAE,OAAO,CAAC;IACd,wEAAwE;IACxE,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,4DAA4D;IAC5D,OAAO,CAAC,EAAE,SAAS,GAAG,QAAQ,CAAC;CAChC;AAED,oHAAoH;AACpH,MAAM,WAAW,kCAAkC;IACjD,gDAAgD;IAChD,SAAS,EAAE,MAAM,CAAC;IAClB,4DAA4D;IAC5D,OAAO,CAAC,EAAE,SAAS,GAAG,QAAQ,CAAC;CAChC;AAED,8FAA8F;AAC9F,MAAM,WAAW,4BAA4B;IAC3C,oHAAoH;IACpH,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC9B,4CAA4C;IAC5C,sBAAsB,EAAE,MAAM,CAAC;CAChC;AAED,iDAAiD;AACjD,eAAO,MAAM,6BAA6B;;;CAGhC,CAAC;AAYX;;;;;;;;GAQG;AACH,wBAAsB,2BAA2B,CAC/C,sBAAsB,EAAE,MAAM,EAC9B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,kCAAkC,GAC1C,OAAO,CAAC,4BAA4B,CAAC,CAoDvC;AAED;;;;;;;;;GASG;AACH,wBAAsB,0BAA0B,CAC9C,sBAAsB,EAAE,MAAM,EAC9B,OAAO,EAAE,oBAAoB,EAC7B,OAAO,EAAE,iCAAiC,GACzC,OAAO,CAAC,oBAAoB,CAAC,CA6C/B"}

package/dist/credential-nft-server.js

@@ -0,0 +1,122 @@
+/**
+ * Yault credential NFT — server-side mint flow.
+ *
+ * Encrypts credential payload locally with recipient's xidentity, then POSTs
+ * to upload-and-mint API. No registry, signer, or client-side mint needed.
+ */
+import { AssetType } from './types.js';
+import { ECIESEncryptor } from './encryption.js';
+import { encryptAsset } from './encryption.js';
+/** Built-in endpoints for upload-and-mint API */
+export const RWA_UPLOAD_AND_MINT_ENDPOINTS = {
+    prod: 'https://api.yallet.xyz/api/v1/storage/rwa/upload-and-mint',
+    dev: 'https://api.yallet.xyz/api/v1/storage/rwa/upload-and-mint',
+};
+const NOTE_TITLE = 'Yault Release Credentials';
+function bytesToBase64(bytes) {
+    let binary = '';
+    for (let i = 0; i < bytes.length; i++) {
+        binary += String.fromCharCode(bytes[i]);
+    }
+    return btoa(binary);
+}
+/**
+ * Build the same upload-and-mint request body as mintCredentialNftViaServer, without sending.
+ * Used to store the encrypted note server-side (e.g. Oracle binding) and send only after attestation.
+ *
+ * @param recipientSolanaAddress - Recipient's Solana address (leafOwner)
+ * @param payload - { user_cred, mnemonic?, index, label }
+ * @param options - { xidentity, network? }
+ * @returns { body, recipientSolanaAddress } — body is the exact JSON to POST to upload-and-mint later
+ */
+export async function prepareCredentialNftPayload(recipientSolanaAddress, payload, options) {
+    const { xidentity, network = 'mainnet' } = options;
+    if (!xidentity || !xidentity.trim()) {
+        throw new Error('xidentity is required');
+    }
+    const note = {
+        title: NOTE_TITLE,
+        content: JSON.stringify(payload),
+        metadata: { createdAt: new Date().toISOString() },
+    };
+    const name = `${NOTE_TITLE} — ${payload.label}`;
+    const description = `Path index ${payload.index}. Decrypt in Yallet to view credentials.`;
+    const encryptor = new ECIESEncryptor();
+    const encrypted = await encryptAsset(note, AssetType.NOTE, xidentity.trim(), encryptor);
+    const payloadForStorage = {
+        encrypted: {
+            ephemeral_pub: encrypted.ephemeral_pub,
+            encrypted_aes_key: encrypted.encrypted_aes_key,
+            iv: encrypted.iv,
+            encrypted_data: encrypted.encrypted_data,
+        },
+        metadata: {
+            assetType: AssetType.NOTE,
+            direction: 'received',
+            network,
+            version: encrypted.version,
+            uuid: encrypted.uuid,
+            timestamp: encrypted.timestamp,
+            dataSize: encrypted.dataSize,
+            uploadedAt: Date.now(),
+        },
+    };
+    const jsonString = JSON.stringify(payloadForStorage);
+    const dataBase64 = bytesToBase64(new TextEncoder().encode(jsonString));
+    const body = {
+        data: dataBase64,
+        contentType: 'application/json',
+        tags: { 'Yallet-Type': 'encrypted-asset', 'Asset-Type': AssetType.NOTE, 'Direction': 'received' },
+        leafOwner: recipientSolanaAddress,
+        name,
+        description,
+        network,
+    };
+    return { body, recipientSolanaAddress };
+}
+/**
+ * Mint credential payload via server (upload-and-mint API).
+ *
+ * Caller provides xidentity from recipient-addresses. No registry or signer.
+ *
+ * @param recipientSolanaAddress - Recipient's Solana address (leafOwner)
+ * @param payload - { user_cred, mnemonic?, index, label }
+ * @param options - { xidentity, uploadAndMintApiUrl?, dev?, headers?, network? }
+ * @returns { success, txId?, error? }
+ */
+export async function mintCredentialNftViaServer(recipientSolanaAddress, payload, options) {
+    const { xidentity, uploadAndMintApiUrl, dev = false, headers = {}, network = 'mainnet' } = options;
+    if (!xidentity || !xidentity.trim()) {
+        return { success: false, error: 'xidentity is required' };
+    }
+    const apiUrl = uploadAndMintApiUrl ||
+        (dev ? RWA_UPLOAD_AND_MINT_ENDPOINTS.dev : RWA_UPLOAD_AND_MINT_ENDPOINTS.prod);
+    const { body } = await prepareCredentialNftPayload(recipientSolanaAddress, payload, { xidentity, network });
+    try {
+        const response = await fetch(apiUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                ...headers,
+            },
+            body: JSON.stringify(body),
+        });
+        const result = (await response.json().catch(() => ({})));
+        if (!response.ok) {
+            return {
+                success: false,
+                error: result?.error || response.statusText || 'Upload-and-mint failed',
+            };
+        }
+        const signature = result?.mint?.signature;
+        return {
+            success: true,
+            txId: signature,
+        };
+    }
+    catch (err) {
+        const message = err instanceof Error ? err.message : String(err);
+        return { success: false, error: message };
+    }
+}
+//# sourceMappingURL=credential-nft-server.js.map

package/dist/credential-nft-server.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-nft-server.js","sourceRoot":"","sources":["../src/credential-nft-server.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AACvC,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAiD/C,iDAAiD;AACjD,MAAM,CAAC,MAAM,6BAA6B,GAAG;IAC3C,IAAI,EAAE,2DAA2D;IACjE,GAAG,EAAE,2DAA2D;CACxD,CAAC;AAEX,MAAM,UAAU,GAAG,2BAA2B,CAAC;AAE/C,SAAS,aAAa,CAAC,KAAiB;IACtC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC;IACD,OAAO,IAAI,CAAC,MAAM,CAAC,CAAC;AACtB,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,CAAC,KAAK,UAAU,2BAA2B,CAC/C,sBAA8B,EAC9B,OAA6B,EAC7B,OAA2C;IAE3C,MAAM,EAAE,SAAS,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,OAAO,CAAC;IAEnD,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,uBAAuB,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,IAAI,GAAG;QACX,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;QAChC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;KAClD,CAAC;IAEF,MAAM,IAAI,GAAG,GAAG,UAAU,MAAM,OAAO,CAAC,KAAK,EAAE,CAAC;IAChD,MAAM,WAAW,GAAG,cAAc,OAAO,CAAC,KAAK,0CAA0C,CAAC;IAE1F,MAAM,SAAS,GAAG,IAAI,cAAc,EAAE,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,YAAY,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,SAAS,CAAC,IAAI,EAAE,EAAE,SAAS,CAAC,CAAC;IAExF,MAAM,iBAAiB,GAAG;QACxB,SAAS,EAAE;YACT,aAAa,EAAE,SAAS,CAAC,aAAa;YACtC,iBAAiB,EAAE,SAAS,CAAC,iBAAiB;YAC9C,EAAE,EAAE,SAAS,CAAC,EAAE;YAChB,cAAc,EAAE,SAAS,CAAC,cAAc;SACzC;QACD,QAAQ,EAAE;YACR,SAAS,EAAE,SAAS,CAAC,IAAI;YACzB,SAAS,EAAE,UAAmB;YAC9B,OAAO;YACP,OAAO,EAAE,SAAS,CAAC,OAAO;YAC1B,IAAI,EAAE,SAAS,CAAC,IAAI;YACpB,SAAS,EAAE,SAAS,CAAC,SAAS;YAC9B,QAAQ,EAAE,SAAS,CAAC,QAAQ;YAC5B,UAAU,EAAE,IAAI,CAAC,GAAG,EAAE;SACvB;KACF,CAAC;IAEF,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;IACrD,MAAM,UAAU,GAAG,aAAa,CAAC,IAAI,WAAW,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IAEvE,MAAM,IAAI,GAA4B;QACpC,IAAI,EAAE,UAAU;QAChB,WAAW,EAAE,kBAAkB;QAC/B,IAAI,EAAE,EAAE,aAAa,EAAE,iBAAiB,EAAE,YAAY,EAAE,SAAS,CAAC,IAAI,EAAE,WAAW,EAAE,UAAU,EAAE;QACjG,SAAS,EAAE,sBAAsB;QACjC,IAAI;QACJ,WAAW;QACX,OAAO;KACR,CAAC;IAEF,OAAO,EAAE,IAAI,EAAE,sBAAsB,EAAE,CAAC;AAC1C,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,CAAC,KAAK,UAAU,0BAA0B,CAC9C,sBAA8B,EAC9B,OAA6B,EAC7B,OAA0C;IAE1C,MAAM,EAAE,SAAS,EAAE,mBAAmB,EAAE,GAAG,GAAG,KAAK,EAAE,OAAO,GAAG,EAAE,EAAE,OAAO,GAAG,SAAS,EAAE,GAAG,OAAO,CAAC;IAEnG,IAAI,CAAC,SAAS,IAAI,CAAC,SAAS,CAAC,IAAI,EAAE,EAAE,CAAC;QACpC,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC;IAC5D,CAAC;IAED,MAAM,MAAM,GACV,mBAAmB;QACnB,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B,CAAC,GAAG,CAAC,CAAC,CAAC,6BAA6B,CAAC,IAAI,CAAC,CAAC;IAEjF,MAAM,EAAE,IAAI,EAAE,GAAG,MAAM,2BAA2B,CAAC,sBAAsB,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,OAAO,EAAE,CAAC,CAAC;IAE5G,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE;YACnC,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,GAAG,OAAO;aACX;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC;SAC3B,CAAC,CAAC;QAEH,MAAM,MAAM,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,CAAC,CAItD,CAAC;QAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,MAAM,EAAE,KAAK,IAAI,QAAQ,CAAC,UAAU,IAAI,wBAAwB;aACxE,CAAC;QACJ,CAAC;QAED,MAAM,SAAS,GAAG,MAAM,EAAE,IAAI,EAAE,SAAS,CAAC;QAC1C,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,SAAS;SAChB,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACjE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,CAAC;IAC5C,CAAC;AACH,CAAC"}

package/dist/credential-nft.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Yault credential NFT — mint release credentials (user_cred + optional mnemonic)
+ * as an encrypted message cNFT to the recipient.
+ *
+ * Used by Yault webapp after Plan submit: custody WASM generates credentials,
+ * this function mints them to the recipient's Solana address via RWA SDK mintMessage.
+ */
+import type { YalletRWASDK } from './sdk.js';
+/** Payload shape agreed with Yault webapp (mnemonic optional until path design includes it). */
+export interface CredentialNftPayload {
+    user_cred: string;
+    mnemonic?: string | null;
+    index: number;
+    label: string;
+}
+/** Result shape expected by Yault: success, txId (assetId or signature), error. */
+export interface CredentialMintResult {
+    success: boolean;
+    txId?: string;
+    error?: string;
+}
+/**
+ * Mint credential payload as an encrypted note cNFT to the recipient.
+ *
+ * @param sdk - Initialized YalletRWASDK (config, signer, registry set)
+ * @param recipientSolanaAddress - Recipient's Solana address (must be registered in SDK registry with xidentity)
+ * @param payload - { user_cred, mnemonic?, index, label }
+ * @returns { success, txId?, error? } for Yault UI
+ */
+export declare function mintCredentialNft(sdk: YalletRWASDK, recipientSolanaAddress: string, payload: CredentialNftPayload): Promise<CredentialMintResult>;
+//# sourceMappingURL=credential-nft.d.ts.map

package/dist/credential-nft.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-nft.d.ts","sourceRoot":"","sources":["../src/credential-nft.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAG7C,gGAAgG;AAChG,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,CAAC;CACf;AAED,mFAAmF;AACnF,MAAM,WAAW,oBAAoB;IACnC,OAAO,EAAE,OAAO,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAID;;;;;;;GAOG;AACH,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,YAAY,EACjB,sBAAsB,EAAE,MAAM,EAC9B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,oBAAoB,CAAC,CAuB/B"}

package/dist/credential-nft.js

@@ -0,0 +1,38 @@
+/**
+ * Yault credential NFT — mint release credentials (user_cred + optional mnemonic)
+ * as an encrypted message cNFT to the recipient.
+ *
+ * Used by Yault webapp after Plan submit: custody WASM generates credentials,
+ * this function mints them to the recipient's Solana address via RWA SDK mintMessage.
+ */
+const NOTE_TITLE = 'Yault Release Credentials';
+/**
+ * Mint credential payload as an encrypted note cNFT to the recipient.
+ *
+ * @param sdk - Initialized YalletRWASDK (config, signer, registry set)
+ * @param recipientSolanaAddress - Recipient's Solana address (must be registered in SDK registry with xidentity)
+ * @param payload - { user_cred, mnemonic?, index, label }
+ * @returns { success, txId?, error? } for Yault UI
+ */
+export async function mintCredentialNft(sdk, recipientSolanaAddress, payload) {
+    const note = {
+        title: NOTE_TITLE,
+        content: JSON.stringify(payload),
+        metadata: { createdAt: new Date().toISOString() },
+    };
+    const result = await sdk.mintMessage(note, recipientSolanaAddress, {
+        name: `${NOTE_TITLE} — ${payload.label}`,
+        description: `Path index ${payload.index}. Decrypt in Yallet to view credentials.`,
+    });
+    if (result.success) {
+        return {
+            success: true,
+            txId: result.assetId ?? result.signature ?? undefined,
+        };
+    }
+    return {
+        success: false,
+        error: result.error ?? 'Mint failed',
+    };
+}
+//# sourceMappingURL=credential-nft.js.map

package/dist/credential-nft.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"credential-nft.js","sourceRoot":"","sources":["../src/credential-nft.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAoBH,MAAM,UAAU,GAAG,2BAA2B,CAAC;AAE/C;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,GAAiB,EACjB,sBAA8B,EAC9B,OAA6B;IAE7B,MAAM,IAAI,GAAG;QACX,KAAK,EAAE,UAAU;QACjB,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC;QAChC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,EAAE;KAClD,CAAC;IAEF,MAAM,MAAM,GAAe,MAAM,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,sBAAsB,EAAE;QAC7E,IAAI,EAAE,GAAG,UAAU,MAAM,OAAO,CAAC,KAAK,EAAE;QACxC,WAAW,EAAE,cAAc,OAAO,CAAC,KAAK,0CAA0C;KACnF,CAAC,CAAC;IAEH,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACnB,OAAO;YACL,OAAO,EAAE,IAAI;YACb,IAAI,EAAE,MAAM,CAAC,OAAO,IAAI,MAAM,CAAC,SAAS,IAAI,SAAS;SACtD,CAAC;IACJ,CAAC;IAED,OAAO;QACL,OAAO,EAAE,KAAK;QACd,KAAK,EAAE,MAAM,CAAC,KAAK,IAAI,aAAa;KACrC,CAAC;AACJ,CAAC"}